Introduction

The HTTP Connector element represents a
Connector component that supports the HTTP/1.1 protocol.
It enables Catalina to function as a stand-alone web server, in addition
to its ability to execute servlets and JSP pages. A particular instance
of this component listens for connections on a specific TCP port number
on the server. One or more such Connectors can be
configured as part of a single Service, each
forwarding to the associated Engine to perform
request processing and create the response.

If you wish to configure the Connector that is used
for connections to web servers using the AJP protocol (such as the
mod_jk 1.2.x connector for Apache 1.3), please refer to the
AJP Connector documentation.

Each incoming request requires
a thread for the duration of that request. If more simultaneous requests
are received than can be handled by the currently available request
processing threads, additional threads will be created up to the
configured maximum (the value of the maxThreads attribute).
If still more simultaneous requests are received, they are stacked up
inside the server socket created by the Connector, up to
the configured maximum (the value of the acceptCount
attribute). Any further simultaneous requests will receive "connection
refused" errors, until resources are available to process them.

Attributes

Common Attributes

All implementations of Connector
support the following attributes:

Attribute

Description

allowTrace

A boolean value which can be used to enable or disable the TRACE
HTTP method. If not specified, this attribute is set to false.

asyncTimeout

The default timeout for asynchronous requests in milliseconds. If not
specified, this attribute is set to the Servlet specification default of
30000 (30 seconds).

defaultSSLHostConfigName

The name of the default SSLHostConfig that will be
used for secure connections (if this connector is configured for secure
connections) if the client connection does not provide SNI or if the SNI
is provided but does not match any configured
SSLHostConfig. If not specified the default value of
_default_ will be used.

enableLookups

Set to true if you want calls to
request.getRemoteHost() to perform DNS lookups in
order to return the actual host name of the remote client. Set
to false to skip the DNS lookup and return the IP
address in String form instead (thereby improving performance).
By default, DNS lookups are disabled.

maxHeaderCount

The maximum number of headers in a request that are allowed by the
container. A request that contains more headers than the specified limit
will be rejected. A value of less than 0 means no limit.
If not specified, a default of 100 is used.

maxParameterCount

The maximum number of parameter and value pairs (GET plus POST) which
will be automatically parsed by the container. Parameter and value pairs
beyond this limit will be ignored. A value of less than 0 means no limit.
If not specified, a default of 10000 is used. Note that
FailedRequestFilterfilter can be
used to reject requests that hit the limit.

maxPostSize

The maximum size in bytes of the POST which will be handled by
the container FORM URL parameter parsing. The limit can be disabled by
setting this attribute to a value less than zero. If not specified, this
attribute is set to 2097152 (2 megabytes). Note that the
FailedRequestFilter
can be used to reject requests that exceed this limit.

maxSavePostSize

The maximum size in bytes of the POST which will be saved/buffered by
the container during FORM or CLIENT-CERT authentication. For both types
of authentication, the POST will be saved/buffered before the user is
authenticated. For CLIENT-CERT authentication, the POST is buffered for
the duration of the SSL handshake and the buffer emptied when the request
is processed. For FORM authentication the POST is saved whilst the user
is re-directed to the login form and is retained until the user
successfully authenticates or the session associated with the
authentication request expires. The limit can be disabled by setting this
attribute to -1. Setting the attribute to zero will disable the saving of
POST data during authentication. If not specified, this attribute is set
to 4096 (4 kilobytes).

parseBodyMethods

A comma-separated list of HTTP methods for which request
bodies will be parsed for request parameters identically
to POST. This is useful in RESTful applications that want to
support POST-style semantics for PUT requests.
Note that any setting other than POST causes Tomcat
to behave in a way that goes against the intent of the servlet
specification.
The HTTP method TRACE is specifically forbidden here in accordance
with the HTTP specification.
The default is POST

port

The TCP port number on which this Connector
will create a server socket and await incoming connections. Your
operating system will allow only one server application to listen
to a particular port number on a particular IP address. If the special
value of 0 (zero) is used, then Tomcat will select a free port at random
to use for this connector. This is typically only useful in embedded and
testing applications.

protocol

Sets the protocol to handle incoming traffic. The default value is
HTTP/1.1 which uses an auto-switching mechanism to select
either a Java NIO based connector or an APR/native based connector.
If the PATH (Windows) or LD_LIBRARY_PATH (on
most unix systems) environment variables contain the Tomcat native
library, and the AprLifecycleListener that is used to
initialize APR has its useAprConnector attribute set to
true, the APR/native connector will be used. If the native library
cannot be found or the attribute is not configured, the Java NIO based
connector will be used. Note that the APR/native connector has different
settings for HTTPS than the Java connectors.
To use an explicit protocol rather than rely on the auto-switching
mechanism described above, the following values may be used:org.apache.coyote.http11.Http11NioProtocol -
non blocking Java NIO connectororg.apache.coyote.http11.Http11Nio2Protocol -
non blocking Java NIO2 connectororg.apache.coyote.http11.Http11AprProtocol -
the APR/native connector.
Custom implementations may also be used.
Take a look at our Connector
Comparison chart. The configuration for both Java connectors is
identical, for http and https.
For more information on the APR connector and APR specific SSL settings
please visit the APR documentation

proxyName

If this Connector is being used in a proxy
configuration, configure this attribute to specify the server name
to be returned for calls to request.getServerName().
See Proxy Support for more
information.

proxyPort

If this Connector is being used in a proxy
configuration, configure this attribute to specify the server port
to be returned for calls to request.getServerPort().
See Proxy Support for more
information.

redirectPort

If this Connector is supporting non-SSL
requests, and a request is received for which a matching
<security-constraint> requires SSL transport,
Catalina will automatically redirect the request to the port
number specified here.

scheme

Set this attribute to the name of the protocol you wish to have
returned by calls to request.getScheme(). For
example, you would set this attribute to "https"
for an SSL Connector. The default value is "http".

secure

Set this attribute to true if you wish to have
calls to request.isSecure() to return true
for requests received by this Connector. You would want this on an
SSL Connector or a non SSL connector that is receiving data from a
SSL accelerator, like a crypto card, a SSL appliance or even a webserver.
The default value is false.

sendReasonPhrase

Set this attribute to true if you wish to have
a reason phrase in the response.
The default value is false.

Note: This option is deprecated and will be removed
in Tomcat 9. The reason phrase will not be sent.

URIEncoding

This specifies the character encoding used to decode the URI bytes,
after %xx decoding the URL. If not specified, UTF-8 will be used unless
the org.apache.catalina.STRICT_SERVLET_COMPLIANCEsystem property is set to true
in which case ISO-8859-1 will be used.

useBodyEncodingForURI

This specifies if the encoding specified in contentType should be used
for URI query parameters, instead of using the URIEncoding. This
setting is present for compatibility with Tomcat 4.1.x, where the
encoding specified in the contentType, or explicitly set using
Request.setCharacterEncoding method was also used for the parameters from
the URL. The default value is false.

Notes: 1) This setting is applied only to the
query string of a request. Unlike URIEncoding it does not
affect the path portion of a request URI. 2) If request character
encoding is not known (is not provided by a browser and is not set by
SetCharacterEncodingFilter or a similar filter using
Request.setCharacterEncoding method), the default encoding is always
"ISO-8859-1". The URIEncoding setting has no effect on
this default.

useIPVHosts

Set this attribute to true to cause Tomcat to use
the IP address that the request was received on to determine the Host
to send the request to. The default value is false.

xpoweredBy

Set this attribute to true to cause Tomcat to advertise
support for the Servlet specification using the header recommended in the
specification. The default value is false.

Standard Implementation

The standard HTTP connectors (NIO, NIO2 and APR/native) all support the
following attributes in addition to the common Connector attributes listed
above.

Attribute

Description

acceptCount

The maximum queue length for incoming connection requests when
all possible request processing threads are in use. Any requests
received when the queue is full will be refused. The default
value is 100.

acceptorThreadCount

The number of threads to be used to accept connections. Increase this
value on a multi CPU machine, although you would never really need more
than 2. Also, with a lot of non keep alive connections, you
might want to increase this value as well. Default value is
1.

acceptorThreadPriority

The priority of the acceptor threads. The threads used to accept
new connections. The default value is 5 (the value of the
java.lang.Thread.NORM_PRIORITY constant). See the JavaDoc
for the java.lang.Thread class for more details on what
this priority means.

address

For servers with more than one IP address, this attribute specifies
which address will be used for listening on the specified port. By
default, the connector will listen all local addresses. Unless the JVM is
configured otherwise using system properties, the Java based connectors
(NIO, NIO2) will listen on both IPv4 and IPv6 addresses when configured
with either 0.0.0.0 or ::. The APR/native
connector will only listen on IPv4 addresses if configured with
0.0.0.0 and will listen on IPv6 addresses (and optionally
IPv4 addresses depending on the setting of ipv6onlyv6) if
configured with ::.

allowHostHeaderMismatch

By default Tomcat will reject requests that specify a host in the
request line but specify a different host in the host header. This
chekc can be disabled by setting this attribute to false. If
not specified, the default is false.

allowedTrailerHeaders

By default Tomcat will ignore all trailer headers when processing
chunked input. For a header to be processed, it must be added to this
comma-separated list of header names.

bindOnInit

Controls when the socket used by the connector is bound. By default it
is bound when the connector is initiated and unbound when the connector is
destroyed. If set to false, the socket will be bound when the
connector is started and unbound when it is stopped.

clientCertProvider

When client certificate information is presented in a form other than
instances of java.security.cert.X509Certificate it needs to
be converted before it can be used and this property controls which JSSE
provider is used to perform the conversion. For example it is used with
the AJP connectors, the HTTP APR connector and
with the
org.apache.catalina.valves.SSLValve. If not specified, the default
provider will be used.

compressibleMimeType

The value is a comma separated list of MIME types for which HTTP
compression may be used.
The default value is
text/html,text/xml,text/plain,text/css,text/javascript,application/javascript
.

compression

The Connector may use HTTP/1.1 GZIP compression in
an attempt to save server bandwidth. The acceptable values for the
parameter is "off" (disable compression), "on" (allow compression, which
causes text data to be compressed), "force" (forces compression in all
cases), or a numerical integer value (which is equivalent to "on", but
specifies the minimum amount of data before the output is compressed). If
the content-length is not known and compression is set to "on" or more
aggressive, the output will also be compressed. If not specified, this
attribute is set to "off".

Note: There is a tradeoff between using compression (saving
your bandwidth) and using the sendfile feature (saving your CPU cycles).
If the connector supports the sendfile feature, e.g. the NIO connector,
using sendfile will take precedence over compression. The symptoms will
be that static files greater that 48 Kb will be sent uncompressed.
You can turn off sendfile by setting useSendfile attribute
of the connector, as documented below, or change the sendfile usage
threshold in the configuration of the
DefaultServlet in the default
conf/web.xml or in the web.xml of your web
application.

compressionMinSize

If compression is set to "on" then this attribute
may be used to specify the minimum amount of data before the output is
compressed. If not specified, this attribute is defaults to "2048".

connectionLinger

The number of seconds during which the sockets used by this
Connector will linger when they are closed. The default
value is -1 which disables socket linger.

connectionTimeout

The number of milliseconds this Connector will wait,
after accepting a connection, for the request URI line to be
presented. Use a value of -1 to indicate no (i.e. infinite) timeout.
The default value is 60000 (i.e. 60 seconds) but note that the standard
server.xml that ships with Tomcat sets this to 20000 (i.e. 20 seconds).
Unless disableUploadTimeout is set to false,
this timeout will also be used when reading the request body (if any).

connectionUploadTimeout

Specifies the timeout, in milliseconds, to use while a data upload is
in progress. This only takes effect if
disableUploadTimeout is set to false.

disableUploadTimeout

This flag allows the servlet container to use a different, usually
longer connection timeout during data upload. If not specified, this
attribute is set to true which disables this longer timeout.

executor

A reference to the name in an Executor
element. If this attribute is set, and the named executor exists, the
connector will use the executor, and all the other thread attributes will
be ignored. Note that if a shared executor is not specified for a
connector then the connector will use a private, internal executor to
provide the thread pool.

executorTerminationTimeoutMillis

The time that the private internal executor will wait for request
processing threads to terminate before continuing with the process of
stopping the connector. If not set, the default is 5000 (5
seconds).

keepAliveTimeout

The number of milliseconds this Connector will wait
for another HTTP request before closing the connection. The default value
is to use the value that has been set for the
connectionTimeout attribute.
Use a value of -1 to indicate no (i.e. infinite) timeout.

maxConnections

The maximum number of connections that the server will accept and
process at any given time. When this number has been reached, the server
will accept, but not process, one further connection. This additional
connection be blocked until the number of connections being processed
falls below maxConnections at which point the server will
start accepting and processing new connections again. Note that once the
limit has been reached, the operating system may still accept connections
based on the acceptCount setting. The default value varies by
connector type. For NIO and NIO2 the default is 10000.
For APR/native, the default is 8192.

Note that for APR/native on Windows, the configured value will be
reduced to the highest multiple of 1024 that is less than or equal to
maxConnections. This is done for performance reasons.
If set to a value of -1, the maxConnections feature is disabled
and connections are not counted.

maxCookieCount

The maximum number of cookies that are permitted for a request. A value
of less than zero means no limit. If not specified, a default value of 200
will be used.

maxExtensionSize

Limits the total length of chunk extensions in chunked HTTP requests.
If the value is -1, no limit will be imposed. If not
specified, the default value of 8192 will be used.

maxHttpHeaderSize

The maximum size of the request and response HTTP header, specified
in bytes. If not specified, this attribute is set to 8192 (8 KB).

maxKeepAliveRequests

The maximum number of HTTP requests which can be pipelined until
the connection is closed by the server. Setting this attribute to 1 will
disable HTTP/1.0 keep-alive, as well as HTTP/1.1 keep-alive and
pipelining. Setting this to -1 will allow an unlimited amount of
pipelined or keep-alive HTTP requests.
If not specified, this attribute is set to 100.

maxSwallowSize

The maximum number of request body bytes (excluding transfer encoding
overhead) that will be swallowed by Tomcat for an aborted upload. An
aborted upload is when Tomcat knows that the request body is going to be
ignored but the client still sends it. If Tomcat does not swallow the body
the client is unlikely to see the response. If not specified the default
of 2097152 (2 megabytes) will be used. A value of less than zero indicates
that no limit should be enforced.

maxThreads

The maximum number of request processing threads to be created
by this Connector, which therefore determines the
maximum number of simultaneous requests that can be handled. If
not specified, this attribute is set to 200. If an executor is associated
with this connector, this attribute is ignored as the connector will
execute tasks using the executor rather than an internal thread pool. Note
that if an executor is configured any value set for this attribute will be
recorded correctly but it will be reported (e.g. via JMX) as
-1 to make clear that it is not used.

maxTrailerSize

Limits the total length of trailing headers in the last chunk of
a chunked HTTP request. If the value is -1, no limit will be
imposed. If not specified, the default value of 8192 will be
used.

minSpareThreads

The minimum number of threads always kept running. If not specified,
the default of 10 is used. If an executor is associated
with this connector, this attribute is ignored as the connector will
execute tasks using the executor rather than an internal thread pool. Note
that if an executor is configured any value set for this attribute will be
recorded correctly but it will be reported (e.g. via JMX) as
-1 to make clear that it is not used.

noCompressionUserAgents

The value is a regular expression (using java.util.regex)
matching the user-agent header of HTTP clients for which
compression should not be used,
because these clients, although they do advertise support for the
feature, have a broken implementation.
The default value is an empty String (regexp matching disabled).

processorCache

The protocol handler caches Processor objects to speed up performance.
This setting dictates how many of these objects get cached.
-1 means unlimited, default is 200. If not using
Servlet 3.0 asynchronous processing, a good default is to use the same as
the maxThreads setting. If using Servlet 3.0 asynchronous processing, a
good default is to use the larger of maxThreads and the maximum number of
expected concurrent requests (synchronous and asynchronous).

rejectIllegalHeaderName

If an HTTP request is received that contains an illegal header name
(i.e. the header name is not a token) this setting determines if the
request will be rejected with a 400 response (true) or if the
illegal header be ignored (false). The default value is
false which will cause the request to be processed but the
illegal header will be ignored.

restrictedUserAgents

The value is a regular expression (using java.util.regex)
matching the user-agent header of HTTP clients for which
HTTP/1.1 or HTTP/1.0 keep alive should not be used, even if the clients
advertise support for these features.
The default value is an empty String (regexp matching disabled).

server

Overrides the Server header for the http response. If set, the value
for this attribute overrides any Server header set by a web application.
If not set, any value specified by the application is used. If the
application does not specify a value then no Server header is set.

serverRemoveAppProvidedValues

If true, any Server header set by a web
application will be removed. Note that if server is set,
this attribute is effectively ignored. If not set, the default value of
false will be used.

SSLEnabled

Use this attribute to enable SSL traffic on a connector.
To turn on SSL handshake/encryption/decryption on a connector
set this value to true.
The default value is false.
When turning this value true you will want to set the
scheme and the secure attributes as well
to pass the correct request.getScheme() and
request.isSecure() values to the servlets
See SSL Support for more information.

tcpNoDelay

If set to true, the TCP_NO_DELAY option will be
set on the server socket, which improves performance under most
circumstances. This is set to true by default.

threadPriority

The priority of the request processing threads within the JVM.
The default value is 5 (the value of the
java.lang.Thread.NORM_PRIORITY constant). See the JavaDoc
for the java.lang.Thread class for more details on what
this priority means. If an executor is associated
with this connector, this attribute is ignored as the connector will
execute tasks using the executor rather than an internal thread pool. Note
that if an executor is configured any value set for this attribute will be
recorded correctly but it will be reported (e.g. via JMX) as
-1 to make clear that it is not used.

Java TCP socket attributes

The NIO and NIO2 implementation support the following Java TCP
socket attributes in addition to the common Connector and HTTP attributes
listed above.

(bool)Boolean value for the socket's keep alive setting
(SO_KEEPALIVE). JVM default used if not set.

socket.ooBInline

(bool)Boolean value for the socket OOBINLINE setting. JVM default
used if not set.

socket.soReuseAddress

(bool)Boolean value for the sockets reuse address option
(SO_REUSEADDR). JVM default used if not set.

socket.soLingerOn

(bool)Boolean value for the sockets so linger option (SO_LINGER).
A value for the standard attribute connectionLinger
that is >=0 is equivalent to setting this to true.
A value for the standard attribute connectionLinger
that is <0 is equivalent to setting this to false.
Both this attribute and soLingerTime must be set else the
JVM defaults will be used for both.

socket.soLingerTime

(int)Value in seconds for the sockets so linger option (SO_LINGER).
This is equivalent to standard attribute
connectionLinger.
Both this attribute and soLingerOn must be set else the
JVM defaults will be used for both.

socket.soTimeout

This is equivalent to standard attribute
connectionTimeout.

socket.performanceConnectionTime

(int)The first value for the performance settings. See
Socket Performance Options.
All three performance attributes must be set else the JVM defaults will
be used for all three.

socket.performanceLatency

(int)The second value for the performance settings. See
Socket Performance Options.
All three performance attributes must be set else the JVM defaults will
be used for all three.

socket.performanceBandwidth

(int)The third value for the performance settings. See
Socket Performance Options.
All three performance attributes must be set else the JVM defaults will
be used for all three.

socket.unlockTimeout

(int) The timeout for a socket unlock. When a connector is stopped, it will try to release the acceptor thread by opening a connector to itself.
The default value is 250 and the value is in milliseconds

NIO specific configuration

The following attributes are specific to the NIO connector.

Attribute

Description

pollerThreadCount

(int)The number of threads to be used to run for the polling events.
Default value is 1 per processor but not more than 2.
When accepting a socket, the operating system holds a global lock. So the benefit of
going above 2 threads diminishes rapidly. Having more than one thread is for
system that need to accept connections very rapidly. However usually just
increasing acceptCount will solve that problem.
Increasing this value may also be beneficial when a large amount of send file
operations are going on.

pollerThreadPriority

(int)The priority of the poller threads.
The default value is 5 (the value of the
java.lang.Thread.NORM_PRIORITY constant). See the JavaDoc
for the java.lang.Thread class for more details on what
this priority means.

selectorTimeout

(int)The time in milliseconds to timeout on a select() for the
poller. This value is important, since connection clean up is done on
the same thread, so do not set this value to an extremely high one. The
default value is 1000 milliseconds.

useSendfile

(bool)Use this attribute to enable or disable sendfile capability.
The default value is true. Note that the use of sendfile
will disable any compression that Tomcat may otherwise have performed on
the response.

socket.directBuffer

(bool)Boolean value, whether to use direct ByteBuffers or java mapped
ByteBuffers. If true then
java.nio.ByteBuffer.allocateDirect() is used to allocate
the buffers, if false then
java.nio.ByteBuffer.allocate() is used. The default value
is false.
When you are using direct buffers, make sure you allocate the
appropriate amount of memory for the direct memory space. On Sun's JDK
that would be something like -XX:MaxDirectMemorySize=256m.

socket.directSslBuffer

(bool)Boolean value, whether to use direct ByteBuffers or java mapped
ByteBuffers for the SSL buffers. If true then
java.nio.ByteBuffer.allocateDirect() is used to allocate
the buffers, if false then
java.nio.ByteBuffer.allocate() is used. The default value
is false.
When you are using direct buffers, make sure you allocate the
appropriate amount of memory for the direct memory space. On Oracle's JDK
that would be something like -XX:MaxDirectMemorySize=256m.

socket.appReadBufSize

(int)Each connection that is opened up in Tomcat get associated with
a read ByteBuffer. This attribute controls the size of this buffer. By
default this read buffer is sized at 8192 bytes. For lower
concurrency, you can increase this to buffer more data. For an extreme
amount of keep alive connections, decrease this number or increase your
heap size.

socket.appWriteBufSize

(int)Each connection that is opened up in Tomcat get associated with
a write ByteBuffer. This attribute controls the size of this buffer. By
default this write buffer is sized at 8192 bytes. For low
concurrency you can increase this to buffer more response data. For an
extreme amount of keep alive connections, decrease this number or
increase your heap size.
The default value here is pretty low, you should up it if you are not
dealing with tens of thousands concurrent connections.

socket.bufferPool

(int)The NIO connector uses a class called NioChannel that holds
elements linked to a socket. To reduce garbage collection, the NIO
connector caches these channel objects. This value specifies the size of
this cache. The default value is 500, and represents that
the cache will hold 500 NioChannel objects. Other values are
-1 for unlimited cache and 0 for no cache.

(int)Tomcat will cache SocketProcessor objects to reduce garbage
collection. The integer value specifies how many objects to keep in the
cache at most. The default is 500. Other values are
-1 for unlimited cache and 0 for no cache.

socket.keyCache

(int)Tomcat will cache KeyAttachment objects to reduce garbage
collection. The integer value specifies how many objects to keep in the
cache at most. The default is 500. Other values are
-1 for unlimited cache and 0 for no cache.

socket.eventCache

(int)Tomcat will cache PollerEvent objects to reduce garbage
collection. The integer value specifies how many objects to keep in the
cache at most. The default is 500. Other values are
-1 for unlimited cache and 0 for no cache.

selectorPool.maxSelectors

(int)The max selectors to be used in the pool, to reduce selector
contention. Use this option when the command line
org.apache.tomcat.util.net.NioSelectorShared value is set
to false. Default value is 200.

selectorPool.maxSpareSelectors

(int)The max spare selectors to be used in the pool, to reduce
selector contention. When a selector is returned to the pool, the system
can decide to keep it or let it be GC'd. Use this option when the
command line org.apache.tomcat.util.net.NioSelectorShared
value is set to false. Default value is -1 (unlimited).

command-line-options

The following command line options are available for the NIO
connector:-Dorg.apache.tomcat.util.net.NioSelectorShared=true|false
- default is true. Set this value to false if you wish to
use a selector for each thread. When you set it to false, you can
control the size of the pool of selectors by using the
selectorPool.maxSelectors attribute.

NIO2 specific configuration

The following attributes are specific to the NIO2 connector.

Attribute

Description

useSendfile

(bool)Use this attribute to enable or disable sendfile capability.
The default value is true. Note that the use of sendfile
will disable any compression that Tomcat may otherwise have performed on
the response.

socket.directBuffer

(bool)Boolean value, whether to use direct ByteBuffers or java mapped
ByteBuffers. If true then
java.nio.ByteBuffer.allocateDirect() is used to allocate
the buffers, if false then
java.nio.ByteBuffer.allocate() is used. The default value
is false.
When you are using direct buffers, make sure you allocate the
appropriate amount of memory for the direct memory space. On Sun's JDK
that would be something like -XX:MaxDirectMemorySize=256m.

socket.directSslBuffer

(bool)Boolean value, whether to use direct ByteBuffers or java mapped
ByteBuffers for the SSL buffers. If true then
java.nio.ByteBuffer.allocateDirect() is used to allocate
the buffers, if false then
java.nio.ByteBuffer.allocate() is used. The default value
is false.
When you are using direct buffers, make sure you allocate the
appropriate amount of memory for the direct memory space. On Oracle's JDK
that would be something like -XX:MaxDirectMemorySize=256m.

socket.appReadBufSize

(int)Each connection that is opened up in Tomcat get associated with
a read ByteBuffer. This attribute controls the size of this buffer. By
default this read buffer is sized at 8192 bytes. For lower
concurrency, you can increase this to buffer more data. For an extreme
amount of keep alive connections, decrease this number or increase your
heap size.

socket.appWriteBufSize

(int)Each connection that is opened up in Tomcat get associated with
a write ByteBuffer. This attribute controls the size of this buffer. By
default this write buffer is sized at 8192 bytes. For low
concurrency you can increase this to buffer more response data. For an
extreme amount of keep alive connections, decrease this number or
increase your heap size.
The default value here is pretty low, you should up it if you are not
dealing with tens of thousands concurrent connections.

socket.bufferPool

(int)The NIO2 connector uses a class called Nio2Channel that holds
elements linked to a socket. To reduce garbage collection, the NIO2
connector caches these channel objects. This value specifies the size of
this cache. The default value is 500, and represents that
the cache will hold 500 Nio2Channel objects. Other values are
-1 for unlimited cache and 0 for no cache.

socket.processorCache

(int)Tomcat will cache SocketProcessor objects to reduce garbage
collection. The integer value specifies how many objects to keep in the
cache at most. The default is 500. Other values are
-1 for unlimited cache and 0 for no cache.

APR/native specific configuration

The following attributes are specific to the APR/native connector.

Attribute

Description

deferAccept

Sets the TCP_DEFER_ACCEPT flag on the listening socket
for this connector. The default value is true where
TCP_DEFER_ACCEPT is supported by the operating system,
otherwise it is false.

ipv6v6only

If listening on an IPv6 address on a dual stack system, should the
connector only listen on the IPv6 address? If not specified the default
is false and the connector will listen on the IPv6 address
and the equivalent IPv4 address if present.

pollerThreadCount

Number of threads used to poll kept alive connections. On Windows the
default is chosen so that the sockets managed by each thread is
less than 1024. For Linux the default is 1. Changing the default on
Windows is likely to have a negative performance impact.

pollTime

Duration of a poll call in microseconds. Lowering this value will
slightly decrease latency of connections being kept alive in some cases,
but will use more CPU as more poll calls are being made. The default
value is 2000 (2ms).

sendfileSize

Amount of sockets that the poller responsible for sending static
files asynchronously can hold at a given time. Extra connections will be
closed right away without any data being sent (resulting in a zero
length file on the client side). Note that in most cases, sendfile is a
call that will return right away (being taken care of "synchronously" by
the kernel), and the sendfile poller will not be used, so the amount of
static files which can be sent concurrently is much larger than the
specified amount. The default value is 1024.

threadPriority

(int)The priority of the acceptor and poller threads.
The default value is 5 (the value of the
java.lang.Thread.NORM_PRIORITY constant). See the JavaDoc
for the java.lang.Thread class for more details on what
this priority means.

useSendfile

(bool)Use this attribute to enable or disable sendfile capability.
The default value is true. Note that the use of sendfile
will disable any compression that Tomcat may otherwise have performed on
the response.

Nested Components

First implemented in Tomcat 9 and back-ported to 8.5, Tomcat now supports
Server Name Indication (SNI). This allows multiple SSL configurations to be
associated with a single secure connector with the configuration used for any
given connection determined by the host name requested by the client. To
facilitate this, the SSLHostConfig element was added which
can be used to define one of these configurations. Any number of
SSLHostConfig may be nested in a Connector.
At the same time, support was added for multiple certificates to be associated
with a single SSLHostConfig. Each SSL certificate is
therefore configured in a Certificate element with in an
SSLHostConfig. For further information, see the SSL Support
section below.

Special Features

HTTP/1.1 and HTTP/1.0 Support

This Connector supports all of the required features
of the HTTP/1.1 protocol, as described in RFCs 7230-7235, including persistent
connections, pipelining, expectations and chunked encoding. If the client
supports only HTTP/1.0 or HTTP/0.9, the
Connector will gracefully fall back to supporting this
protocol as well. No special configuration is required to enable this
support. The Connector also supports HTTP/1.0
keep-alive.

RFC 7230 requires that HTTP servers always begin their responses with
the highest HTTP version that they claim to support. Therefore, this
Connector will always return HTTP/1.1 at
the beginning of its responses.

HTTP/2 Support

HTTP/2 is support is provided for TLS (h2), non-TLS via HTTP upgrade (h2c)
and direct HTTP/2 (h2c) connections. To enable HTTP/2 support for an HTTP
connector the following UpgradeProtocol element must be
nested within the Connector with a
className attribute of
org.apache.coyote.http2.Http2Protocol.

Because Java 8's TLS implementation does not support ALPN (which is
required for HTTP/2 over TLS), you must be using an OpenSSL based TLS
implementation to enable HTTP/2 support. See the
sslImplementationName attribute of the
Connector.

Proxy Support

The proxyName and proxyPort attributes can
be used when Tomcat is run behind a proxy server. These attributes
modify the values returned to web applications that call the
request.getServerName() and request.getServerPort()
methods, which are often used to construct absolute URLs for redirects.
Without configuring these attributes, the values returned would reflect
the server name and port on which the connection from the proxy server
was received, rather than the server name and port to whom the client
directed the original request.

SSL Support

You can enable SSL support for a particular instance of this
Connector by setting the SSLEnabled attribute to
true.

You will also need to set the scheme and secure
attributes to the values https and true
respectively, to pass correct information to the servlets.

The NIO and NIO2 connectors use either the JSSE Java SSL implementation or
an OpenSSL implementation, whereas the APR/native connector uses OpenSSL only.
Prior to Tomcat 8.5, different configuration attributes were used for JSSE and
OpenSSL. From Tomcat 8.5 onwards, and as far as possible, common configuration
attributes are used for both JSSE and OpenSSL. Also if using the JSSE OpenSSL
implementation, configuration can be set using either the JSSE or APR
attributes (note: but not both types within the same configuration). This is
to aid simpler switching between connector implementations for SSL
connectors.

Each secure connector must define at least one
SSLHostConfig. The names of the
SSLHostConfig elements must be unique and one of them must
match the defaultSSLHostConfigName attribute of the
Connector.

Each SSLHostConfig must in turn define at least one
Certificate. The types of the Certificates
must be unique.

As of Tomcat 8.5, the majority of the SSL configuration attributes in the
Connector are deprecated. If specified, they will be used to
configure a SSLHostConfig and Certificate
for the defaultSSLHostConfigName. Note that if an explicit
SSLHostConfig element also exists for the
defaultSSLHostConfigName then that will be treated as a configuration
error. It is expected that Tomcat 10 will drop support for the SSL
configuration attributes in the Connector.

SSL Support - SSLHostConfig

Attribute

Description

certificateRevocationFile

Name of the file that contains the concatenated certificate revocation
lists for the certificate authorities. The format is PEM-encoded. If not
defined, client certificates will not be checked against a certificate
revocation list (unless an OpenSSL based connector is used and
certificateRevocationPath is defined). Relative paths
will be resolved against $CATALINA_BASE. JSSE based
connectors may also specify a URL for this attribute.

certificateRevocationPath

OpenSSL only.

Name of the directory that contains the certificate revocation lists
for the certificate authorities. The format is PEM-encoded. Relative paths
will be resolved against $CATALINA_BASE.

certificateVerification

Set to required if you want the SSL stack to require a
valid certificate chain from the client before accepting a connection.
Set to optional if you want the SSL stack to request a client
Certificate, but not fail if one isn't presented. Set to
optionalNoCA if you want client certificates to be optional
and you don't want Tomcat to check them against the list of trusted CAs.
If the TLS provider doesn't support this option (OpenSSL does, JSSE does
not) it is treated as if optional was specified. A
none value (which is the default) will not require a
certificate chain unless the client requests a resource protected by a
security constraint that uses CLIENT-CERT authentication.

certificateVerificationDepth

The maximum number of intermediate certificates that will be allowed
when validating client certificates. If not specified, the default value
of 10 will be used.

caCertificateFile

OpenSSL only.

Name of the file that contains the concatenated certificates for the
trusted certificate authorities. The format is PEM-encoded.

caCertificatePath

OpenSSL only.

Name of the directory that contains the certificates for the trusted
certificate authorities. The format is PEM-encoded.

ciphers

The ciphers to enable using the OpenSSL syntax. (See the OpenSSL
documentation for the list of ciphers supported and the syntax).
Alternatively, a comma separated list of ciphers using the standard
OpenSSL cipher names or the standard JSSE cipher names may be used.

When converting from OpenSSL syntax to JSSE ciphers for JSSE based
connectors, the behaviour of the OpenSSL syntax parsing is kept aligned
with the behaviour of the OpenSSL 1.1.0 development branch.

Only the ciphers that are supported by the SSL implementation will be
used.

If not specified, a default (using the OpenSSL notation) of
HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA will be
used.

Note that, by default, the order in which ciphers are defined is
treated as an order of preference. See honorCipherOrder.

disableCompression

OpenSSL only.

Configures if compression is disabled. The default is
true. If the OpenSSL version used does not support disabling
compression then the default for that OpenSSL version will be used.

disableSessionTickets

OpenSSL only.

Disables use of TLS session tickets (RFC 5077) if set to
true. Default is false. Note that when TLS
session tickets are in use, the full peer certificate chain will only be
available on the first connection. Subsequent connections (that use a
ticket to estrablish the TLS session) will only have the peer certificate,
not the full chain.

honorCipherOrder

Set to true to enforce the server's cipher order
(from the ciphers setting) instead of allowing
the client to choose the cipher. The default is false.
Use of this feature requires Java 8 or later.

hostName

The name of the SSL Host. This should either be the fully qualified
domain name (e.g. tomcat.apache.org) or a wild card domain
name (e.g. *.apache.org). If not specified, the default value
of _default_ will be used.

insecureRenegotiation

OpenSSL only.

Configures if insecure renegotiation is allowed. The default is
false. If the OpenSSL version used does not support
configuring if insecure renegotiation is allowed then the default for that
OpenSSL version will be used.

keyManagerAlgorithm

JSSE only.

The KeyManager algorithm to be used. This defaults to
KeyManagerFactory.getDefaultAlgorithm() which returns
SunX509 for Sun JVMs. IBM JVMs return
IbmX509. For other vendors, consult the JVM
documentation for the default value.

protocols

The names of the protocols to support when communicating with clients.
This should be a list of any combination of the following:

SSLv2Hello

SSLv3

TLSv1

TLSv1.1

TLSv1.2

all

Each token in the list can be prefixed with a plus sign ("+")
or a minus sign ("-"). A plus sign adds the protocol, a minus sign
removes it form the current list. The list is built starting from
an empty list.

The token all is an alias for
SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2.

Note that SSLv2Hello will be ignored for OpenSSL based
secure connectors. If more than one protocol is specified for an OpenSSL
based secure connector it will always support SSLv2Hello. If a
single protocol is specified it will not support
SSLv2Hello.

Note that SSLv2 and SSLv3 are inherently
unsafe.

If not specified, the default value of all will be
used.

revocationEnabled

JSSE only.

Should the JSSE provider enable certificate revocation checks? If
certificateRevocationListFile is set then this attribute
is ignored and revocation checks are always enabled. This attribute is
intended to enable revocation checks that have been configured for the
current JSSE provider via other means. If not specified, a default of
false is used.

sessionCacheSize

JSSE only.

The number of SSL sessions to maintain in the session cache. Use 0 to
specify an unlimited cache size. If not specified, a default of 0 is
used.

sessionTimeout

JSSE only.

The time, in seconds, after the creation of an SSL session that it will
timeout. Use 0 to specify an unlimited timeout. If not specified, a
default of 86400 (24 hours) is used.

sslProtocol

JSSE only.

The SSL protocol(s) to use (a single value may enable multiple
protocols - see the JVM documentation for details). If not specified, the
default is TLS. The permitted values may be obtained from the
JVM documentation for the allowed values for algorithm when creating an
SSLContext instance e.g.
Oracle Java 7. Note: There is overlap between this attribute and
protocols.

trustManagerClassName

JSSE only.

The name of a custom trust manager class to use to validate client
certificates. The class must have a zero argument constructor and must
also implement javax.net.ssl.X509TrustManager. If this
attribute is set, the trust store attributes may be ignored.

truststoreAlgorithm

JSSE only.

The algorithm to use for truststore. If not specified, the default
value returned by
javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm() is
used.

truststoreFile

JSSE only.

The trust store file to use to validate client certificates. The
default is the value of the javax.net.ssl.trustStore system
property. If neither this attribute nor the default system property is
set, no trust store will be configured. Relative paths
will be resolved against $CATALINA_BASE. A URL may also be
used for this attribute.

truststorePassword

JSSE only.

The password to access the trust store. The default is the value of the
javax.net.ssl.trustStorePassword system property. If that
property is null, no trust store password will be configured. If an
invalid trust store password is specified, a warning will be logged and an
attempt will be made to access the trust store without a password which
will skip validation of the trust store contents.

truststoreProvider

JSSE only.

The name of the truststore provider to be used for the server
certificate. The default is the value of the
javax.net.ssl.trustStoreProvider system property. If
that property is null, the value of keystoreProvider is used
as the default. If neither this attribute, the default system property nor
keystoreProvideris set, the list of registered providers is
traversed in preference order and the first provider that supports the
truststoreType is used.

truststoreType

JSSE only.

The type of key store used for the trust store. The default is the
value of the javax.net.ssl.trustStoreType system property. If
that property is null, a single certificate has been configured for this
TLS virtual host and that certificate has a keystoreType that
is not PKCS12 then the default will be the
keystoreType of the single certificate. If none of these
identify a default, the default will be JKS.

SSL Support - Certificate

Attribute

Description

certificateFile

Name of the file that contains the server certificate. The format is
PEM-encoded. Relative paths will be resolved against
$CATALINA_BASE.

In addition to the certificate, the file can also contain as optional
elements DH parameters and/or an EC curve name for ephemeral keys, as
generated by openssl dhparam and openssl ecparam,
respectively. The output of the respective OpenSSL command can simply
be concatenated to the certificate file.

certificateChainFile

Name of the file that contains the certificate chain associated with
the server certificate used. The format is
PEM-encoded. Relative paths will be resolved against
$CATALINA_BASE.

The certificate chain used for Tomcat should not include the server
certificate as its first element.

Note that when using more than one certificate for different types,
they all must use the same certificate chain.

certificateKeyAlias

JSSE only.

The alias used for the server key and certificate in the keystore. If
not specified, the first key read from the keystore will be used. The
order in which keys are read from the keystore is implementation
dependent. It may not be the case that keys are read from the keystore in
the same order as they were added. If more than one key is present in the
keystore it is strongly recommended that a keyAlias is configured to
ensure that the correct key is used.

certificateKeyFile

Name of the file that contains the server private key. The format is
PEM-encoded. The default value is the value of
certificateFile and in this case both certificate and
private key have to be in this file (NOT RECOMMENDED). Relative paths will
be resolved against $CATALINA_BASE.

certificateKeyPassword

The password used to access the private key associated with the server
certificate from the specified file.

If not specified, the default behaviour for JSSE is to use the
certificateKeystorePassword. For OpenSSL the default
behaviour is not to use a password.

certificateKeystoreFile

JSSE only.

The pathname of the keystore file where you have stored the server
certificate and key to be loaded. By default, the pathname is the file
.keystore in the operating system home directory of the user
that is running Tomcat. If your keystoreType doesn't need a
file use "" (empty string) or NONE for this
parameter. Relative paths will be resolved against
$CATALINA_BASE. A URL may also be used for this attribute.

certificateKeystorePassword

JSSE only.

The password to use to access the keystore containing the server's
private key and certificate. If not specified, a default of
changeit will be used.

certificateKeystoreProvider

JSSE only.

The name of the keystore provider to be used for the server
certificate. If not specified, the value of the system property
javax.net.ssl.keyStoreProvider is used. If neither this
attribute nor the system property are set, the list of registered
providers is traversed in preference order and the first provider that
supports the keystoreType is used.

certificateKeystoreType

JSSE only.

The type of keystore file to be used for the server certificate.
If not specified, the value of the system property
javax.net.ssl.keyStoreType is used. If neither this attribute
nor the system property are set, a default value of "JKS". is
used.

type

The type of certificate. This is used to identify the ciphers that are
compatible with the certificate. It must be one of UNDEFINED,
RSA, DSS or EC. If only one
Certificate is nested within a SSLHostConfig
then this attribute is not required and will default to
UNDEFINED. If multiple Certificates are
nested within a SSLHostConfig then this attribute is required
and each Certificate must have a unique type.

SSL Support - Connector - NIO and NIO2

When APR/native is enabled, the connectors will default to using OpenSSL through JSSE,
which may be more optimized than the JSSE Java implementation depending on the processor being used,
and can be complemented with many commercial accelerator components.

The following NIO and NIO2 SSL configuration attributes are not specific to
a virtual host and, therefore, must be configured on the connector.

Attribute

Description

sniParseLimit

In order to implement SNI support, Tomcat has to parse the first TLS
message received on a new TLS connection (the client hello) to extract the
requested server name. The message needs to be buffered so it can then be
passed to the JSSE implementation for normal TLS processing. In theory,
this first message could be very large although in practice it is
typically a few hundred bytes. This attribute sets the maximum message
size that Tomcat will buffer. If a message exceeds this size, the
connection will be configured as if no server name was indicated by the
client. If not specified a default of 65536 (64k) will be
used.

sslImplementationName

The class name of the SSL implementation to use. If not specified and
the tomcat-native library is not installed, the
default of org.apache.tomcat.util.net.jsse.JSSEImplementation
will be used which wraps JVM's default JSSE provider. Note that the
JVM can be configured to use a different JSSE provider as the default.
Tomcat also bundles a special SSL implementation for JSSE that is backed
by OpenSSL. To enable it, the native library should be enabled as if
intending to use the APR connector, and Tomcat will automatically enable it
and the default value of this attribute becomes
org.apache.tomcat.util.net.openssl.OpenSSLImplementation.
In that case, the attributes from either JSSE and OpenSSL
configuration styles can be used, as long as the two types are not mixed
(for example, it is not allowed to define use of a Java keystore and
specify a separate pem private key using the OpenSSL attribute).

SSL Support - Connector - NIO and NIO2 (deprecated)

The following NIO and NIO2 SSL configuration attributes have been
deprecated in favor of the default
SSLHostConfig element.

Attribute

Description

algorithm

This is an alias for the keyManagerAlgorithm attribute of
the default SSLHostConfig
element.

ciphers

This is an alias for the ciphers attribute of the default
SSLHostConfig element.

clientAuth

This is an alias for the certificateVerification attribute
of the default SSLHostConfig
element.

crlFile

This is an alias for the certificateRevocationFile
attribute of the default
SSLHostConfig element.

keyAlias

This is an alias for the certificateKeyAlias attribute of
the first Certificate element
nested in the default
SSLHostConfig element.

keyPass

This is an alias for the certificateKeyPassword attribute
of the first Certificate element
nested in the default
SSLHostConfig element.

keystoreFile

This is an alias for the certificateKeystoreFile attribute
of the first Certificate element
nested in the default
SSLHostConfig element.

keystorePass

This is an alias for the certificateKeystorePassword
attribute of the first
Certificate element nested in the
default SSLHostConfig
element.

keystoreProvider

This is an alias for the certificateKeystoreProvider
attribute of the first
Certificate element nested in the
default SSLHostConfig
element.

keystoreType

This is an alias for the certificateKeystoreType attribute
of the first Certificate element
nested in the default
SSLHostConfig element.

sessionCacheSize

This is an alias for the sessionCacheSize attribute of the
default SSLHostConfig
element.

sessionTimeout

This is an alias for the sessionTimeout attribute of the
default SSLHostConfig
element.

sslEnabledProtocols

This is an alias for the protocols attribute of the
default SSLHostConfig
element.

sslProtocol

This is an alias for the sslProtocol attribute of the
default SSLHostConfig
element.

trustManagerClassName

This is an alias for the trustManagerClassName attribute
of the default SSLHostConfig
element.

trustMaxCertLength

This is an alias for the certificateVerificationDepth
attribute of the default
SSLHostConfig element.

truststoreAlgorithm

This is an alias for the truststoreAlgorithm attribute of
the default SSLHostConfig
element.

truststoreFile

This is an alias for the truststoreFile attribute of
the default SSLHostConfig
element.

truststorePass

This is an alias for the truststorePassword attribute of
the default SSLHostConfig
element.

truststoreProvider

This is an alias for the truststoreProvider attribute of
the default SSLHostConfig
element.

truststoreType

This is an alias for the truststoreType attribute of
the default SSLHostConfig
element.

useServerCipherSuitesOrder

This is an alias for the honorCipherOrder attribute of the
default SSLHostConfig
element.

SSL Support - Connector - APR/Native (deprecated)

When APR/native is enabled, the HTTPS connector will use a socket poller
for keep-alive, increasing scalability of the server. It also uses OpenSSL,
which may be more optimized than JSSE depending on the processor being used,
and can be complemented with many commercial accelerator components. Unlike
the HTTP connector, the HTTPS connector cannot use sendfile to optimize static
file processing.

The HTTPS APR/native connector has the same attributes than the HTTP
APR/native connector, but adds OpenSSL specific ones. For the full details on
using OpenSSL, please refer to OpenSSL documentations and the many books
available for it (see the Official OpenSSL
website). The SSL specific attributes for the APR/native connector are:

Attribute

Description

SSLCACertificateFile

This is an alias for the caCertificateFile
attribute of the default
SSLHostConfig element.

SSLCACertificatePath

This is an alias for the caCertificatePath
attribute of the default
SSLHostConfig element.

SSLCARevocationFile

This is an alias for the certificateRevocationFile
attribute of the default
SSLHostConfig element.

SSLCARevocationPath

This is an alias for the certificateRevocationPath
attribute of the default
SSLHostConfig element.

SSLCertificateFile

This is an alias for the certificateFile attribute of the
first Certificate element nested
in the default SSLHostConfig
element.

SSLCertificateKeyFile

This is an alias for the certificateKeyFile attribute of the
first Certificate element nested
in the default SSLHostConfig
element.

SSLCipherSuite

This is an alias for the ciphers attribute of the default
SSLHostConfig element.

SSLDisableCompression

This is an alias for the disableCompression attribute of
the default SSLHostConfig
element.

SSLHonorCipherOrder

This is an alias for the honorCipherOrder attribute of the
default SSLHostConfig
element.

SSLPassword

This is an alias for the certificateKeyPassword attribute
of the first Certificate element
nested in the default
SSLHostConfig element.

SSLProtocol

This is an alias for the protocols attribute of the
default SSLHostConfig
element.

SSLVerifyClient

This is an alias for the certificateVerification attribute
of the default SSLHostConfig
element.

SSLVerifyDepth

This is an alias for the certificateVerificationDepth
attribute of the default
SSLHostConfig element.

SSLDisableSessionTickets

This is an alias for the disableSessionTickets attribute
of the default SSLHostConfig
element.